Lock down your organization’s security

A challenge that most organizations face is how to best protect sensitive data. Obviously, securing your network and servers is your first step, but you also need to implement some form of data encryption. Unfortunately, data-encryption solutions can be awkward to use (e.g., pretty good privacy—PGP) or lacking in customization options (e.g., Windows 2000’s Encrypting File System—EFS). Cyber-Ark Software’s PrivateArk 1.41, which uses a series of encrypted vaults and safes to provide strong data encryption and file-security management, offers a level of data security that you probably haven’t encountered before. Like products such as WatchGuard’s ServerLock and Authentica’s MailVault, PrivateArk is dedicated to providing strong data security; however, PrivateArk is unique in its customizable features and management options.

I installed PrivateArk on my 450MHz Pentium II system, which had 256MB of RAM and Win2K Server Service Pack 1 (SP1) installed. (Cyber-Ark recommends—but doesn’t require—Win2K SP1. Under Windows NT 4.0, PrivateArk requires SP5 or later.) PrivateArk Server requires a Pentium processor or better, with a recommended 128MB of RAM. PrivateArk’s client software requires a Pentium processor or better and 32MB of RAM.

The PrivateArk installation is straightforward, requiring simple installations of two pieces of software: the server and client components. During the server software installation, you’ll need an operating master key, which you’ll find on the CD-ROM included in the product’s package. During the installation, PrivateArk uses the operating master key to generate a key for the server package. If you don’t have the generated key when PrivateArk attempts to start, the service will fail and you’ll need to restart the service with the CD-ROM in the CD-ROM drive. After the service starts, however, you can remove the CD-ROM and store it in a safe place. This feature limits the possibility of an intruder rebooting the system and attempting to gain access by bypassing authentication with an administrative password. The server front end is simple, letting you configure which IP address the server will use, where the safes folder will exist, and where the server service’s Start and Stop buttons will reside. As Figure 1 shows, the server’s Central Administration window, displays information about the server’s activity, including error messages and occurrences of server startup and shutdown.

My only complaint about the installation process involves configuration changes that you must make to your server. PrivateArk essentially operates as a firewalled system, allowing only PrivateArk Client requests to access specified ports on the server. (Cyber-Ark recommends that you dedicate a server to PrivateArk Server. You can place this hardened, dedicated system in your company’s demilitarized zone—DMZ—if the need arises.) The software requires that you make several configuration changes to the server’s registry, services, and other system components. For example, you need to limit activity on nearly every system port—except the ports that PrivateArk uses. I would prefer that the software automatically perform these time-consuming changes during the installation process.

The client component offers two levels of organization: vaults and safes. A vault, which typically represents a particular geographical organization or department, contains safes. After you create a vault—a simple process that requires only a name for the vault, the server’s IP address, and a unique system port—you create safes, which can contain further categorical division. The structure is entirely up to you. First-time setup of vaults and safes involves setting many user-management options. Although these steps aren’t difficult, they are numerous. The printed User’s Guide, although vague, is essential reading. During this setup process, you’ll probably need to contact Cyber-Ark’s knowledgeable and helpful technical support at least once.

To access a vault that contains the safe you want, simply double-click the vault and enter a username and password (based on the security options that you configured while creating the vault). Your security options include basic user account and password, SecurID, NT’s public key infrastructure (PKI) authorization—assuming you have PKI implemented—and PrivateArk authentication. If you select NT’s PKI authorization, you can import user accounts from your NT domain controller (DC), thereby eliminating the need for users to log on a second time. (After a user properly authenticates with NT, PrivateArk lets that user access the files to which he or she has permissions.) This feature requires that you perform a simple installation of the included PrivateArk NT authentication client on the DC and each client machine. A caveat: If you use NT authentication, your overall security implementation will be inherently weaker and more vulnerable to attack.

To access the product’s safes options, go to the Safe menu. From the drop-down menu, you can set up appropriate owners and users for your safes. Next, you simply select File, Store to place the files that you want to secure into the safes. When the software moves a specified file into the safe, it completely removes the file from its original location. You can also create new files inside a safe: Right-click a safe; select File, New from the pop-up menu; then select the type of file that you want to create. PrivateArk integrates impressively with Windows and Microsoft Office applications. To access files in safes, you can use the familiar File, Open menu option and manage PrivateArk’s safes folder just as you would any other folder or directory. PrivateArk also includes an optional Web browser interface, which lets you access files from remote systems. The software places no limits on file size or file type; you’re limited only by your hard disk’s available space.

PrivateArk provides a nice visual representation of your security. When an owner of a safe or file accesses that item, the software displays a visual notification of that safe or file’s activity. If a user has viewed or changed information in a file, you’ll see an exclamation point next to the file. To obtain a detailed list of users who have accessed a specific safe, as well as a listing of the activities performed, select the safe, then click Inspect. To perform additional monitoring, you can select the Monitoring tab at the bottom of the PrivateArk GUI, which lets you access fairly complete logging information about every safe and file that resides under a particular vault.

To intensify the security of safes and files, PrivateArk offers a unique file-access feature: manual authentication. If you activate manual authentication, the software provides a pop-up notification window that shows a photograph of the user who is attempting access and asks whether you want to accept or decline the request. (You can use any type of graphics file for this feature.) Manual authentication is a great feature for administrators who want ultimate control over safe access.

PrivateArk’s structured vault-and-safe organization secures files well and helps you organize your files. Like any file-management implementation, initial configuration of PrivateArk can be tedious because of the sheer amount of planning you must do. I recommend that you plan your organizational structure and file locations beforehand so that you can speed up the configuration process. PrivateArk’s cost makes the product prohibitive for smaller organizations, which will probably find better value in implementing Win2K with EFS. However, any enterprise that would consider PrivateArk probably won’t flinch at the cost. Hardening a Win2K server and implementing EFS and PKI technologies will provide many of the security benefits that PrivateArk offers. However, Cyber-Ark’s product also provides the notable capability to micromanage file security and data access—you can determine which users can access encrypted files. You need to decide whether this product’s granular control and level of security are worth the extra time, money, and effort.

PrivateArk 1.41
Contact: Cyber-Ark Software * 888-808-9005
Web: http://www.cyber-ark.com
Price: PrivateArk Server costs $15,000; clients cost $120 each for the first 1000 licenses; volume discounts available
Decision Summary:
Pros: Quick installation; several authentication choices, including public key infrastructure; clean, well-designed GUI; impressive monitoring tools
Cons: Time-consuming vault-and-safe setup, particularly in larger networks; vague configuration instructions; high cost